cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrija Panic (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-8451) Static Nat show wrong IP in VM behind VPC
Date Thu, 07 May 2015 13:04:59 GMT
Andrija Panic created CLOUDSTACK-8451:
-----------------------------------------

             Summary: Static Nat show wrong IP in VM behind VPC
                 Key: CLOUDSTACK-8451
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8451
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: KVM, Network Controller, Virtual Router
    Affects Versions: 4.5.1
         Environment: Ubuntu 14.04, ACS 4.5.1-SNAPSHOT
            Reporter: Andrija Panic


When configuring Port FOrwarding on VPC VR, and connect from outside world to VPC IP address,
traffic gets forwarded to VM behind VPC.

But if you run "netstat -antup | grep $PORT" (where port is i.e. ssh port) - given result
will show that remote connections come from the Source NAT IP of the VR, instead of the real
remote client IP.

Example:
private VM: 192.168.10.10
Source NAT IP on VPC VR: 1.1.1.1
Additional Public IP on VPC VR. 1.1.1.2
Remote client public IP: 4.4.4.4 (external to VPC)
Test:
from 4.4.4.4 SSH to 1.1.1.2 port 22 (or any other port)
inside 192.168.10.10 do "netstat -antup | grep 22"
Result: Remote IP show is 1.1.1.1 instead of 4.4.4.4


We found a solution (somwhat tested, and not sure if this would break anything...)

Problem is in VRs iptables NAT table, POSTROUTING chain, rule:
SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:1.1.1.1

where 1.1.1.1 is public IP of VR
eth2: is Public Interface of VR
When this rule is deleted, NAT is working fine.

This is serious issue for anyone using VPC, since there is no way to see real remote client
IP, and this no firewall funtionality inside VM, SIP doesnt work, web server logs are useless
etc.

I also experienced this problem with 4.3.x releases.






--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message